What is PCI Compliance and why should you care?

The Payment Card Industry Data Security Standard (PCI DSS) was developed by the PCI Security Standards Council many years ago to provide “an actionable framework for developing a robust account data security process – including preventing, detecting and reacting to security incidents.” While the credit card industry outlines policies and procedures specifically intended to handle credit card security, the best practices required for compliancy extend well beyond keeping customer credit card data safe.

Why Be PCI Compliant?

If you process credit cards then you at least should have a vendor that is PCI compliant. For many companies, that’s the best solution, although if your organization processes enough credit cards then you might be required to be compliant as well. Since XMission processes tens of thousands of customer credit cards every month, we have been maintaining PCI compliancy for years. As a hosting and colocation provider, XMission is required to complete the most rigorous SAQ (Self-Assessment Questionnaire) validation, Type 5: SAQ v2 D. Lastly, maintaining compliancy should give you some peace of mind while also providing some insurance if you become the unfortunate victim of a hacking attempt.

Why does it matter?

The PCI Data Security Standard and supporting documents represent a common set of industry tools and measurements to help ensure the safe handling of sensitive information. To reduce the risk of compromise and mitigate its impacts if it does occur, it is important that all entities storing, processing, or transmitting cardholder data be compliant. With credit card data being a top target for cyber thieves, taking precautions makes common sense. Post-mortem compromise analysis has shown common security weaknesses that are addressed by PCI DSS, but were not in place in the organizations when the compromises occurred. PCI DSS was designed and includes detailed requirements for exactly this reason—to minimize the chance of compromise and the effects if a compromise does occur. In other words, PCI DSS is based on forensic data from real data breaches. As such, the requirements are designed to protect against known attack vectors.

What does this mean for businesses that rely on ecommerce?

Firstly, don’t think of PCI compliancy as unnecessary hoops you have to jump through but rather some tried and true best practices that can help protect not only your company’s data but also your customers’. If you host elsewhere and don’t know if your hosting provider is compliant, absolutely find out. Ideally, they should also conduct an annual SSAE 16 (SOC 1) audit. If for any reason you’re not satisfied with the answers from your current hosting provider, think seriously about switching to a business that takes security and compliancy very seriously. This is absolutely not something your business can be lackadaisical about.

If you do already host with XMission, note that while XMission’s compliancy is likely an essential component for your colocated and hosted servers to earn compliancy, you must still complete your own PCI DSS SAQ if your merchant bank determines you should be compliant, due to volume for instance. Documents, including a copy of the SAQ are available here.